How to remove SCVHOST.exe (W32/YahLover.Worm.gen or Win32/Autorun.R.worm)
This type of worm hides itself as SCVHOST.EXE or SCVHOSTS.EXE so it will look like the legitimate Windows program SVCHOST.EXE. This type of virus usually spread through Yahoo Messenger. This virus is also known as W32/YahLover.Worm.gen and Win32/Autorun.R.worm. One way to avoid infection from this virus is to ignore any invites from unknown friends.
This virus/worm installs itself in autorun.inf and once double click it will spread itself unto your system. Furthermore, it copies itself through all the shared folders on your computers throughout the network and installs itself in the registry entries remotely.
Here are indication that your computer is infected with this virus.
- This virus/worm blocks the task manager.(way to fix your task manager)
- The worm changes the registry to prevent running task manager and editing registry for harder detection. (way to enable registry editor)
- It automatically restarts the computer when you try to go to the command prompt.
- It duplicates itself to different locations of the shared folders. The duplicated virus/worm uses a FOLDER icon with an .exe file extension. WARNING! DO NOT double click these folders.
- It autostart via registry keys Windows->Run and add itself to WinNT->WinLogon->Explorer.exe
How to remove the virus
You can use NOD32 or any strong antovirus programs to remove this virus but if you don’t have a anti-virus or your antivirus can’t remove this virus try following the steps below to remove it manually.
- Boot your system in Safe Mode Command Prompt Only (How to start Windows in safe mode)
- After you log-in the command prompt will be opened (LOG-IN AS ADMINISTRATOR).
- Type CD C:\WINDOWS\SYSTEM32 (I assume that your Windows System files are located at Drive C)
- Type DIR /ah, this will display all hidden files on this directory folder. You will see the following files which is used by the virus to spread itself: AUTORUN.INI, BLASTCLNNN.EXE, and SCVHOST.EXE
- Type ATTRIB -H -R -S SCVHOST.EXE
- Type ATTRIB -H -R -S BLASTCLNNN.EXE
- Type ATTRIB -H -R -S AUTORUN.INI
- Type DEL SCVHOST.EXE
- Type DEL BLASTCLNNNN.EXE
- Type DEL AUTORUN.INI
- Type CD\
- Type ATTRIB -H -R -S AUTORUN.INF
- Type DEL AUTORUN.INF
After following the steps on removing the virus/worm files, the virus should now be removed from the registry of your system.
- At the command prompt type REGEDIT and press ENTER key. This will run the Registry Editor
- From the registry, look for the keys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, you will see an entry Yahoo! Messengger (it’s spelled like this) with a value c:\windows\system32\scvhost.exe, Delete this entry.
- Look again for the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, there’s an entry named: SHELL, it has a value = Explorer.exe SCVHOST.EXE , DON’T delete this entry!!! Just edit this entry and REMOVE the SCVHOST.EXE so that Explorer.exe will be the only value that remains from this registry entry.
After carefully following all the steps restart your computer on normal mode and the virus should now be gone.
Related posts:
- How to Remove Worm MyMP3.vbs
- How to Remove JAY.EXE and MVEO.EXE Virus
- How to remove W32:Navidad (Navidad.Exe)
- How to remove autorun.inf and prevent virus spreading and infection
- How to Remove Huelar.exe (mscvhost.exe, winlogos.exe) virus
- How to Remove Virus from USB Device
- How to Remove Happy99.exe (ska)
- How to Remove MSBLAST.exe worm virus
- How To Remove Pretty Park Worm
- How to remove TAGA LIPA ARE! Virus
7 Comments
his type of worm hides itself SCVHOST.EXE or SCVHOSTS.EXE so it will look like the legitimate Windows program SVCHOST.EXE. This type of virus usually spread through Yahoo Messenger. This virus is also known as W32/YahLover.Worm.gen and Win32/Autorun.R.worm. One way to avoid infection from this virus is to ignore any invites from unknown friends. This virus/worm installs itself in autorun.inf and once double click it will spread itself unto your system. Furthermore, it copies itself through all the shared folders on your computers throughout the network and installs itself in the registry entries remotely. Here are indication that your computer is infected with this virus.
Few months ago I’d this kind of virus on my pc and i was not able to connect to internet. Later i had only option to format my system drive.
But now onwards i dont have to format, I can follow up your method to delete / remove such virus from my pc.
Thank you
Svchost.exe is a valid generic host process name for services that run from dynamic-link libraries. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time.
On the other hand, Scvhost.exe is virus.
Brad Callen´s last blog post..How I built a 55,000 person email list in 2 weeks via Twitter & how you can use the same concept to build YOUR list
The svchost file is required to run these files as there is no executable. The .dlls called by the svchost executable could be for automatic updates or other legitimate programs, or they can be used to mask less benign programs. Usually you will have a good indication that the svchost.exe is masking a virus or some other major problem when it is using 50% or more of your computer’s resources.
Resource: Svchost info site.
Bart´s last undefined ..Response cached until Sun 4 @ 11:52 GMT (Refreshes in 23.95 Hours)
I would also add, there is a great tool to help uncover sneaky little trojan like conflicker. It is free, no cost at ALL. It doesn’t fix the problem it finds, it just lets you know there is one. It’s called svchost process anaylzer.